Repo APT secure - apt-get update GPG 签名无效

tag-icon tag-icon debian apt repository gpg
Repo APT secure - apt-get update GPG 签名无效

使用 aptly 设置新的 apt 存储库、签署存储库、使用 aptly 提供存储库并将公共 gpg 密钥添加到 apt 密钥环后,我在命令过程中遇到失败apt update

Err:3 http://#REPO_URL#/#NAME# #DISTRIBUTION# InRelease                                    
  The following signatures were invalid: #KEY_ID#
Hit:4 http://apt.postgresql.org/pub/repos/apt sid-pgdg InRelease                  
Reading package lists... Done
W: GPG error: http://#REPO_URL#/#NAME# #DISTRIBUTION# InRelease: The following signatures were invalid: #KEY_ID#
E: The repository 'http://#REPO_URL#/#NAME# #DISTRIBUTION# InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

但签名和 gpg 密钥都很好。我成功验证了 InRelease 文件上的 gpg 签名:

curl http://#REPO_URL#/InRelease | gpg --keyring /etc/apt/trusted.gpg --verify
gpg: Signature made Wed 11 Jan 2017 04:01:23 PM CET
gpg:                using RSA key #KEY_ID#
gpg: Good signature from "#DESCRIPTION_GPG_KEY#" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: #GOOD_KEY_FINGERPRINT#

我还使用类似的命令验证了ReleaseRelease.gpg文件。

我试图找出 then 期间做apt updatestrace -o /tmp/strace -ff apt update什么grep

grep 'apt.*key' ./strace*
./strace.29829:execve("/usr/bin/apt-key", ["/usr/bin/apt-key", "--quiet", "--readonly", "verify", "--status-fd", "3", "/tmp/apt.sig.ORUwxh", "/tmp/apt.data.kKXyrN"], [/* 28 vars */]) = 0
./strace.29829:open("/usr/bin/apt-key", O_RDONLY)      = 4
./strace.29888:execve("/usr/bin/apt-key", ["/usr/bin/apt-key", "--quiet", "--readonly", "verify", "--status-fd", "3", "/tmp/apt.sig.utRWBD", "/tmp/apt.data.Fo1Lka"], [/* 28 vars */]) = 0
./strace.29888:open("/usr/bin/apt-key", O_RDONLY)      = 4
./strace.29947:execve("/usr/bin/apt-key", ["/usr/bin/apt-key", "--quiet", "--readonly", "verify", "--status-fd", "3", "/tmp/apt.sig.ug6xiV", "/tmp/apt.data.Yv4zFs"], [/* 28 vars */]) = 0
./strace.29947:open("/usr/bin/apt-key", O_RDONLY)      = 4
./strace.30006:execve("/usr/bin/apt-key", ["/usr/bin/apt-key", "--quiet", "--readonly", "verify", "--status-fd", "3", "/tmp/apt.sig.QSyrCg", "/tmp/apt.data.LK9DGO"], [/* 28 vars */]) = 0
./strace.30006:open("/usr/bin/apt-key", O_RDONLY)      = 4

我该如何调试并修复此错误?

答案1

从 Debian 8 (jessie) 升级到 Debian 9 (stretch) 时,我遇到了同样的问题。事实证明,Debian 9 至少需要 2048 位 GPG 密钥,而我的只有 1024 位。以下步骤对我有用:

  • 创建一个新的 4096 位 GPG 密钥
  • 更新我的 GPG 配置以使用该密钥作为默认密钥(~/.gnupg/gpg.conf, default-key 选项)
  • 重新签署我的Release文件,创建Release.gpgInRelease

此时,一切又开始运转了。

答案2

这个错误来自 aptly 的错误版本(不记得是哪个版本)。

升级后,错误消失。

相关内容